Bernard Pietraga

Daily writes Ruby / Elixir / Puppet. Nightly writes Crystal / Golang / JavaScript

3 Comments

  1. Michal J.
    30/08/2017 @ 06:08

    While it’s nice you’re explaining how to do same exchange in both Elixir and Ruby, it’s worrying that you’re butchering the crypto along the way. Using static IV in CBC mode is a bad idea (you’re leaking data, and worse) and using non-authenticated cipher mode also leads to host of other problems (like, gosh, people modifying your data and running padding oracle against your endpoint).

    Please use proper authenticated cipher mode and random (non-repeating) IV. Or better yet, use libdsdium (oss implementation of Bernstein’s NaCl). Which will not allow you to do crypto101 blunders.

    Reply

    • Bernard Pietraga
      30/08/2017 @ 07:45

      Hello Michał,
      Thank you for commenting here!

      I point to “Notice” section of first paragraph.

      Yes I do agree that AES CBC alone is not proper way to go, this is as I mention example of implementation which can be used for other kinds of algorithms.
      Included in libraries. In the Notice section I advise and provide links for going JSON Web Token if you are less concerned about security or taking libsodium for a spin.

      This is just example of basic integration, and some pointers how to get going and where to search. This is not any kind of production drag and drop code which will make your connection secure but allow programmer based on this article secure connection.

      Kind regards,
      Bernard

      Reply

  2. BB
    20/06/2018 @ 08:15

    Nice job man! I understood everything perfectly! Amazing work, and very good explained. Tank you very much, now i understand more than before, but still have to learn. Good luck in this project.

    Reply

Leave a Reply to Bernard Pietraga Close